Encrypt any disk in Mountain Lion

One of the more interesting—and less visible—new features in Mountain Lion is the ability to encrypt almost any disk. OS X has long offered the ability to encrypt your startup disk using Apple’s FileVault, but Mountain Lion extends this feature to other disks, even to simple USB flash drives. Here is an overview of how this feature works, how you can encrypt and decrypt a disk, and what options you have when doing so.

Encrypt a disk from the Finder

This new full-disk encryption feature is well hidden in Mountain Lion. Typically, you use Apple’s Disk Utility (in /Applications/Utilities) to work with hard disks or other types of removable media. Disk Utility can erase, partition, and repair hard disks, but curiously, it cannot encrypt a hard disk.

Control-click to encrypt To encrypt a disk, instead right- or Control-click on a hard disk’s icon on the Desktop, or in a Finder window sidebar. Choose Encrypt Disk Name and enter a password. You’ll have to enter the password a second time, and you won’t be able to go any further unless you also enter a password hint. You need to choose a good, secure password, but it shouldn’t be something too complicated.

You’ll most likely use the encryption feature for a portable disk you carry around with you. When you connect the disk to your Mac, or to someone else’s Mac, you’ll need to remember the password to access the files. When you use the disk with your Mac, or, say, a Mac at work, you can store the password in the keychain.

Expect a wait After you’ve entered your password, and clicked on Encrypt Disk, you’ll have to wait. Depending on how big your disk is, your wait could be a few minutes or several hours. In my tests, I found even a 1GB flash drive took several minutes to encrypt. Unfortunately, there is no progress bar, so you have no way of knowing how long this process will take. The only way to be sure something is happening is if the disc has an LED that flashes as it is being read or written to. For this reason, if you are encrypting a large hard disk, you may want to let the process go overnight.

When the disk is finished encrypting (the blinking light on your drive will be your clue), eject it as you would any other disk. When you next connect it to your Mac, a dialogue box will display asking you to enter your password. You can select Remember This Password In My Keychain if you wish to use this disk often and don’t want to have to enter the password every time. If you forget the password, click on Show Hint to see the hint that you recorded. Click on Unlock to allow OS X to decrypt the disk.

Don’t lose your password Copy files to and from this disk, and they will be encrypted or decrypted on the fly. This feature uses uses full disk, XTS-AES 128 encryption, which is secure enough for most uses. But I cannot stress enough that if you lose this password, you will not have access to any of the files on the disk. Period. Unlike FileVault, which presents you with a “recovery key” that you can use if you’ve lost your password, there is no safety net here.

If you ever want to turn off encryption, right- or Control-click on the disk and choose Decrypt Disk Name. Enter your password, then click on Turn Off Encryption. As with the encryption process, there is no progress bar or other feedback.

While you can turn on or off encryption while your disk contains files, there is always the chance that something may go wrong. It’s best to make sure you have a copy of those files before encrypting or decrypting.

Use disk encryption from the command line

Can you encrypt your disks from the command line? Of course you can. If you’re not the geeky type, you may not want to read any further. But if you do know how to wield Terminal commands and want more feedback about the encryption process, the following will certainly interest you.

Prepare a disk by converting You encrypt disks with the diskutil command, but first, you have to convert them to a format called CoreStorage.

Start by running this command:

diskutil list

This returns a list of all the disks connected to your Mac. For example, on my Mac, I see this:

The disk I want to encrypt is the last one, called Untitled. To the right of its name, you can see its identifier, disk4s1. With that information, I can convert the disk to the CoreStorage format with the following command:

sudo diskutil corestorage convert disk4s1

Terminal will request your administrator’s password, then will begin the conversion process. Note that you’ll even see a progress bar on the last line in Terminal, as below.

At this point, your disk is now encrypted. You can eject it from the Finder (or, if you want to stay in Terminal, you can eject it with this command: diskutil eject Untitled), and use it as described above. The next time you connect it to a Mac, you’ll be asked for the password.

Decrypt the disk Decrypting a disk from the command line is pretty simple. Here’s the command you can use, with the LV UUID we saw above. Replace password with your password.

For most users, encrypting volumes in the Finder is simplest option, but power users may enjoy the feedback and control they get with the command line. Either way, Mountain Lion’s new encryption feature is a great way to secure portable disks to carry sensitive files.